[This articles was written by Don, our senior architect and specialist in the Health IT space.]
“Is our app HIPAA compliant?”
For anyone in the Health IT space, this is a frequently asked question.
It’s a well-meaning question, as providers in today’s medical industry have a large number of regulatory hurdles to their daily lives and just want to keep their patients’ data safe.
But what does it really mean to be HIPAA compliant? Is this the right question you should be asking?
First, let’s quickly look at the regulation.
The Health Insurance Portability and Accountability Act (HIPAA) is a suite of regulations that are officially known as 45 CFR parts 160, 162, and 164.
In brief, the rule establishes national standards to protect personal health information (PHI) and defines standards around who can access that information.
The document starts off with the most pertinent information – who does HIPAA pertain to?
(1) a health plan,
(2) a health care clearinghouse,
(3) a health care provider who transmits any health information, and
(3b) in many cases a business associate of that provider.
What stands out as missing? Software!
“A piece of software, in and of itself, cannot be ruled HIPAA compliant or not compliant. Your business, and by extension, many of your business associates, are governed by the HIPAA regulations. The software itself is not.”
You might then ask yourself – if the software cannot be HIPAA compliant, then what should I really be asking?
1. Do We Have a Business Associate Agreement With Our Developer?
Typically, many of your software vendors will be considered Business Associates. You are required to have a signed Business Associate Agreement (BAA) on file with each of these companies with which you share PHI.
Will they sign a BAA with you? Are you required to sign theirs, or can you provide your own? HHS provides a set of sample provisions you should look for in a BAA.
2. What Technical Safeguards Are Used to Protect PHI?
You will also want to find out what technical safeguards are used to protect the information being shared. Of paramount importance – who is responsible?
If the Business Associate is hosting your data elsewhere, most likely they are responsible. If you are installing software on your own site, then in many cases you are responsible.
3. Is Our Data Encrypted?
Look into these details — Is your data encrypted as it is moved across networks? Is it encrypted at rest? Where are backups kept and are they encrypted?
If you are installing software on your own equipment, what policies and guidelines do you need to follow? What security measures need to be in place to ensure that you are not open to a breach? Be sure that your BAA spells out the liability and that you understand your requirements.
An Example HIPAA Violation
In 2011, New York and Presbyterian Hospital accidentally allowed internet search engines to access PHI it had stored on internal servers due to a misconfiguration.
If you read through the brief, you will see that HHS cited the hospital for several issues, primarily because they failed to either implement procedures or failed to follow the procedures that had been implemented.
It was through software that the breach happened, but the fault (and monetary penalties) lies with the organization for not doing enough to ensure PHI was secured.
The end result was a $3.3 million fine. HHS provides a set of HIPAA violation case examples for your review.
HIPAA is primarily about policies and documentation.
In many cases, what you are really asking is “Does this software cause me any additional burden for my business to comply with the HIPAA regulations?”
You are required to have agreements in place with everyone you exchange data with.
You are required to have policies and procedures for how you and your staff should safeguard the PHI you maintain.
You should never undertake a new software project without understanding the impact that new piece of software or service will have on those policies and procedures.
In a Nutshell
Your software, or mobile app, is not HIPAA compliant. It is the policies and procedures you have in place to protect patient health information that determine whether your organization complies with HIPAA regulations.